HSM

In the HSM tab and subtabs, you can configure the Hardware Security Module (HSM) of the Hardware Appliance.

The HSM configuration options offer the following:

  • Change the authentication codes of the PKCS#11 slots
  • Change the PIN of BackupKeyShareSmartCards
  • Make one- to-one copies of backup protection cards
  • Change the PIN of user credentials on smart cards for slot activation
  • Download a full protected backup of the HSM's key material
  • Handle HSM key synchronization across a cluster.

Please note that the functionality displayed might differ depending on your setup.

In case the HSM Audit Log is full, do NOT reboot the EJBCA Hardware Appliance eIDAS edition. Refer to the Troubleshooting section for more information.

Overview

This tab provides you with an overview of the HSM configuration.

WebConf: HSM > Overview

PKCS#11 Slots

You can only use manually specified authentication codes.

WebConf: HSM > PKCS#11 Slots

Changing a manually entered authentication code

Click Change to update a manually entered authentication codes. Note that this might destroy existing sessions to the slot and could require a re-authentication.


Key Synchronization

WebConf: HSM > Key synchronization

Download protected HSM export

This will download the HSM key material so that you can migrate your data into another, external system. The format of the files is specific to the HSM vendor. The export is protected using the Backup Key for the higher Appliance Security Levels.

Smart Card Operations

These options are only available if you initialized the Hardware Appliance using smart cards for backup protection. To use these functions, connect the PIN pad to a USB port of the Hardware Appliance. Please note that the USB port of the HSM (the USB port on the PCI card, only accessible from the back) will not work. Use the USB ports on the front of the Hardware Appliance.

WebConf: HSM > Smart card operations

Change the PIN of the Backup Key Share on a smart card

Use this function for the following:

  • Change the PIN of the backup key share on a smart card. This is strongly recommended for each of the backup key share smart cards. It prevents a mixup or accidental overwriting of the contents of a smart card.
  • Assign the card to another person of the company.
  • Change the PIN on a smart card that comes originally from another Hardware Appliance.

If you have additionally secured your PKCS#11 slots with smart card authentication, a similar functionality is offered to change the PIN of a PKCS#11 slot user on a smart card. That function can also be used to change the PIN of an HSM Admin User credential on a smart card.

Copy smart card (one-to-one)

Use this function to make an identical copy of a smart card. This will allow you to create a second set of 2 out of 3 cards for your disaster recovery site, for example. You should create a backup set of the Backup Key share smart cards. Please keep in mind that the Backup Key share smart cards should never be kept close to the backup of the Hardware Appliance

Since each card is unique, this function cannot be used to recover lost cards in card set. However, if you need a 2 out of 2 scenario, this function allows you to copy the data form the second smart card to the third smart card, effectively overwriting the Backup Key share on the third smart card.